summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Geerinckx-Rice <me@tobias.gr>2019-10-23 19:43:02 +0200
committerTobias Geerinckx-Rice <me@tobias.gr>2019-10-23 19:58:48 +0200
commit3f4ea9a62b5fa68d57724b2f83c35a191e33b7c8 (patch)
tree89c23778ff146795ad9924e8582622cc2a5f76fe
parentdff0eedb04ac7c61fc1e2ddd4cd577f83f5eb89a (diff)
gnu: avahi: Fix CVE-2018-1000845 and duplicate CVE-2017-6519.
* gnu/packages/avahi.scm (avahi/fixed): New variable. (avahi)[replacement]: Use it. * gnu/packages/patches/avahi-CVE-2018-1000845.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/avahi.scm11
-rw-r--r--gnu/packages/patches/avahi-CVE-2018-1000845.patch42
3 files changed, 54 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index a8138a945c..50bcab514a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -706,6 +706,7 @@ dist_patch_DATA = \
%D%/packages/patches/ath9k-htc-firmware-objcopy.patch \
%D%/packages/patches/audacity-build-with-system-portaudio.patch \
%D%/packages/patches/automake-skip-amhello-tests.patch \
+ %D%/packages/patches/avahi-CVE-2018-1000845.patch \
%D%/packages/patches/avahi-localstatedir.patch \
%D%/packages/patches/avogadro-boost148.patch \
%D%/packages/patches/avogadro-eigen3-update.patch \
diff --git a/gnu/packages/avahi.scm b/gnu/packages/avahi.scm
index e71ffc2982..408be8ed57 100644
--- a/gnu/packages/avahi.scm
+++ b/gnu/packages/avahi.scm
@@ -35,6 +35,7 @@
(package
(name "avahi")
(version "0.7")
+ (replacement avahi/fixed)
(home-page "http://avahi.org")
(source (origin
(method url-fetch)
@@ -74,6 +75,16 @@ network. It is an implementation of the mDNS (for \"Multicast DNS\") and
DNS-SD (for \"DNS-Based Service Discovery\") protocols.")
(license lgpl2.1+)))
+(define avahi/fixed
+ (package/inherit avahi
+ (source (origin
+ (inherit (package-source avahi))
+ (patches
+ (append (search-patches "avahi-CVE-2018-1000845.patch")
+ (origin-patches (package-source avahi))))))
+ ;; Hide a duplicate of the CVE fixed above.
+ (properties `((lint-hidden-cve . ("CVE-2017-6519"))))))
+
(define-public nss-mdns
(package
(name "nss-mdns")
diff --git a/gnu/packages/patches/avahi-CVE-2018-1000845.patch b/gnu/packages/patches/avahi-CVE-2018-1000845.patch
new file mode 100644
index 0000000000..e5b13e0bee
--- /dev/null
+++ b/gnu/packages/patches/avahi-CVE-2018-1000845.patch
@@ -0,0 +1,42 @@
+From e111def44a7df4624a4aa3f85fe98054bffb6b4f Mon Sep 17 00:00:00 2001
+From: Trent Lloyd <trent@lloyd.id.au>
+Date: Sat, 22 Dec 2018 09:06:07 +0800
+Subject: [PATCH] Drop legacy unicast queries from address not on local link
+
+When handling legacy unicast queries, ensure that the source IP is
+inside a subnet on the local link, otherwise drop the packet.
+
+Fixes #145
+Fixes #203
+CVE-2017-6519
+CVE-2018-100084
+---
+ avahi-core/server.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index a2cb19a8..a2580e38 100644
+--- a/avahi-core/server.c
++++ b/avahi-core/server.c
+@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+
+ if (avahi_dns_packet_is_query(p)) {
+ int legacy_unicast = 0;
++ char t[AVAHI_ADDRESS_STR_MAX];
+
+ /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the
+ * AR section completely here, so far. Until the day we add
+@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+ legacy_unicast = 1;
+ }
+
++ if (!is_mdns_mcast_address(dst_address) &&
++ !avahi_interface_address_on_link(i, src_address)) {
++
++ avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol);
++ return;
++ }
++
+ if (legacy_unicast)
+ reflect_legacy_unicast_query_packet(s, p, i, src_address, port);
+